Identities correlation infrastructure for passive network monitoring
First Claim
1. An identity enabled policy monitoring system, comprising:
- a network monitor device for receiving network traffic from a network under observation;
an Identity Acquisition Manager (IAM), executing on a hardware processor communicatively connected to said network monitor, enabling said network monitor to perform a correlation analysis of user identities and said network traffic to infer which users and user groups are responsible for generating said network traffic and enabling said network monitor to store an Internet Protocol (IP) address of the network traffic in a cache of IP addresses when the correlation analysis performed at the network monitor indicates that there is no identity associated with the IP address, the IAM further configured to determine current login information, the current login information determined from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the IAM distributes the current login information to one or more remote network monitors, wherein the remote probing is performed over the network, and wherein probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address;
an identity-enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon any of user identity, authenticated computer identity, group identity, and IP address; and
a mechanism for connecting actively into the identity infrastructure of the network under observation to get information regarding identities and for passing said information regarding identities back to the IAM;
wherein an identity-enhanced view of traffic is compared against a formal specification in said identity-enhanced policy; and
wherein a human-readable report is generated indicating which traffic met and did not meet said identity-enhanced policy.
16 Assignments
0 Petitions
Accused Products
Abstract
User names and user groups serve as the basis of a formal policy in a network. A passive monitor examines network traffic in near real time and indicates: which network traffic is flowing on the network as before; which users or user groups were logged into workstations initiating this network traffic; and which of this traffic conforms to the formal policy definition. In one embodiment of the invention, users and user groups are determined by querying Microsoft® Active Directory and Microsoft® Windows servers, to determine who is logged onto the Microsoft® network. Other sources of identity information are also possible. The identity information is then correlated with the network traffic, so that even traffic that does not bear on the Microsoft® networking scheme is still tagged with identity
227 Citations
27 Claims
-
1. An identity enabled policy monitoring system, comprising:
-
a network monitor device for receiving network traffic from a network under observation; an Identity Acquisition Manager (IAM), executing on a hardware processor communicatively connected to said network monitor, enabling said network monitor to perform a correlation analysis of user identities and said network traffic to infer which users and user groups are responsible for generating said network traffic and enabling said network monitor to store an Internet Protocol (IP) address of the network traffic in a cache of IP addresses when the correlation analysis performed at the network monitor indicates that there is no identity associated with the IP address, the IAM further configured to determine current login information, the current login information determined from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the IAM distributes the current login information to one or more remote network monitors, wherein the remote probing is performed over the network, and wherein probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address; an identity-enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon any of user identity, authenticated computer identity, group identity, and IP address; and a mechanism for connecting actively into the identity infrastructure of the network under observation to get information regarding identities and for passing said information regarding identities back to the IAM; wherein an identity-enhanced view of traffic is compared against a formal specification in said identity-enhanced policy; and wherein a human-readable report is generated indicating which traffic met and did not meet said identity-enhanced policy. - View Dependent Claims (2, 3)
-
-
4. A computer implemented distributed network monitoring method, the method comprising:
-
providing a mapping from an Internet Protocol (IP) address to an identity; storing the IP address in a cache of IP addresses stored in a memory when the mapping indicates that there is no identity for the IP address; providing a formal policy definition based, at least in part, upon any of user names, authenticated computer names, user groups, and computer groups; examining network traffic, using a processor, in near real time with a passive network monitor to determine conformance with said formal policy definition; and providing an identity acquisition manager (IAM) module for determining which users are currently logged into computers on the network from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the IAM distributes current login information to one or more remote network monitors, wherein the remote probing is performed over a network, and wherein remote probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address; said passive network monitor indicating which network traffic is flowing on the network, and at least one of; which users were logged into workstations initiating the network traffic, the identity of computers initiating said network traffic, to which groups said users and/or computers belong and where said users and/or computers have previously authenticated to a network authentication infrastructure; which of said authenticated computers is receiving the network traffic; and which of the network traffic conforms to the formal policy definition. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A method comprising:
-
monitoring, in an identity acquisition manager, login state information of users logged into a network under observation, the login state information determined from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the remote probing is performed over the network, and wherein remote probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address; receiving, in a passive network monitor, the login state information; generating a local copy of the received login state information at the passive network monitor; mapping, in accordance with the local copy of the login state information, an Internet Protocol (IP) address of the network under observation to an identity, wherein mapping an IP address of the network under observation includes storing the IP address in a cache of IP addresses stored in a memory when the mapping indicates that there is no identity associated with the IP address; and examining network traffic, using a processor, in near real time with a passive network monitor to determine conformance with said formal policy definition, wherein conformance is based on the IP address mapping, and wherein the formal policy definition is based upon one or more of user names, authenticated computer names, user groups, and computer groups. - View Dependent Claims (25, 26)
-
-
27. A system comprising:
-
an identity-enhanced policy having a priority ranking system for relationships based upon identities, said ranking based upon one or more of user identity, authenticated computer identity, group identity, and IP address; a network monitor device; and an identity acquisition manager (IAM), executing on a hardware processor communicatively connected to said network monitor, to; determine which users are logged into a network under observation; determine a current login state of the users using login state information determined from login events and synthesized logout information, the synthesized logout information derived using a combination of timeouts and remote probing information, wherein the remote probing is performed over the network, and wherein remote probing techniques include both identity aware and non-identity aware techniques, the identity aware techniques accessing an identity infrastructure associated with a device being probed to determine which users are currently logged into the device being probed, and the non-identity aware techniques analyzing network traffic indicated to have no identity associated with the IP address; store the current login state as logon data; and periodically transmit the logon data to the network monitor; wherein the network monitor; stores a local copy of the logon data received from the IAM; updates the local copy of the data when updates of the logon data are received from the IAM; receives network traffic from the network under observation; performs a correlation analysis of user identities in the logon data and the network traffic to infer which users and user groups are responsible for generating the network traffic; stores an Internet Protocol (IP)address of the network traffic in a cache of IP addresses when the correlation analysis indicates that there is no identity associated with the IP address; and applies the identity-enhanced policy.
-
Specification